National Press Club
Secretary Napolitano: Good morning. I'm happy to report it's snowing very hard right now, so that's the weather report from outside this room. But that makes it all the more wonderful to be inside, and to be with you today. So thank you for having me. Thank you for convening on this important subject.
We have been spending a lot of time on cyber issues at the Department of Homeland Security. And indeed, across the administration, we have, in my judgment, made a lot of progress this past year in terms of building the capability necessary to manage cyber incidents at the national level. And over the past year, we have seen the full spectrum of cyber threats, from spamming to the now service attacks, and attempts to inject dangerous pieces of spyware, among other things.
So I think there is a clear recognition of the size and scope of the challenge involved in securing cyber networks, and by extension — and this is where DHS gets involved — securing the critical infrastructure of the country.
So I think in addition to that recognition, there is also a more profound understanding of the kinds of partnerships that are necessary to deal with the cyber challenge. So what I'd like to do this morning is to take a step back and discuss, in a somewhat broad way, how we see the cyber challenge at the Department, and how we are approaching that challenge
First, let me say from the start, we really get it. Indeed, the Department this year produced its first-ever Quadrennial Homeland Security Review. And in that review — the Department is turning 8 years old in March, so in terms of institution building, it's still relatively young. And it was an amalgam of 22 different agencies that were all put under the umbrella and called the Department of Homeland Security.
One of the things we did through the QHSR project was to say, what are our fundamental missions at Homeland Security. Counterterrorism, obviously, that's why we were founded; securing our borders, and that's air, land, and sea, makes sense; enforcing our nation's immigration laws, which we have done, and actually we removed from the country, more people in the last two years than any two years in our nation's history, in terms of enforcement.
But the next major mission area was the protection of cyberspace. And these are not in order, per se. These were just to pick five major mission areas; counterterrorism, priority; but securing the borders; immigration enforcement; protection of cyberspace; and then the ability to respond to, and mitigate, and be resilient to disasters of whatever type when they occur.
So the fact that cyberspace was specifically singled out in the QHSR process, amongst the myriad other issues that are within the Department of Homeland Security, I think indicates the fundamental understanding that we have on the importance of the problem.
Secondly, it is our goal to build one of the very best teams that we can to tackle this cybersecurity challenge. This has got to be a team effort. It's within the Department, but no single agency or industry, quite frankly, can manage it. And so we need, at the Department, to have highly skilled, highly creative, highly dedicated men and women who are ready to come and meet and really think through what the nation needs by the way of cyber protection.
By the way, if any of us, or any of you know anyone who is highly skilled and wants to come serve their country, I will take their résumé after this discussion.
Finally, I want to stress that cybersecurity isn't about control. It's not about government control. It is about partnerships. But partnership needs to have some effectiveness. There needs to be meat on the bone when we say partnership. And there needs to be widespread distributed action toward that goal, so that we view this much more as creating, if I may, layered security involving partnerships, as opposed to top-down or government-down. So we are working more closely than ever to identify the private sector partners who we need, and work with them, and also across the federal family.
Indeed, just this past fall, I signed, I think, a landmark agreement with Secretary Gates to better align our resources and actions, because the two of us recognize that between the Department of Homeland Security and the Department of Defense, you have 90 percent plus of the cyber equities in the federal family. And if you look at the President's cyber review and where responsibilities were assigned, on the civilian side, it's DHS, and on the military side, it's DOD.
Not only did we assign that, but we have cross-assigned individuals, and through that agreement, have identified how the technology resource base of the NSA will be employed, both on the military side, but, importantly, on the civilian side. And, indeed, for the first time ever, we have individuals who are now stationed at NSA, including, by the way, legal counsel and privacy officers, because there are particular protections that need to be applied in the civilian context. And that gives us the ability to tap into that incredible resource. And as I said before, we're also engaging with private industry and the general public, in what I think are some really novel ways.
So that is all happening. At the same time, I recognize, and our Department recognizes, that much more needs to be done in this critical area, and that there needs to be not just a broad-base national commitment, but we need to actually be working together to create a national culture that provides that users at every level know that they are part of a system, know what they need to do to help us protect security, and have greater confidence, indeed, in the security of the system.
So we need to build a cyber system in which the distributed nature of cyberspace becomes a great benefit, not a great weakness, and where people at all levels understand the shared responsibility that goes into that concept. It means that users, businesses, the technology industry, the government, everybody, has a role to play.
We have to do our own part in the federal government. We must secure our own systems, and we are working to get that done, but we also must assist the private sector in securing itself and in enforcing the law, and indeed, I think laying the policy foundations for the future.
For example, we need, I believe, a more transparent and inclusive cybersecurity policy-making process that brings the best minds to the table and the best minds from a number of different areas. We need colleges and universities to make cybersecurity a multi-disciplinary pursuit so that we have policymakers who understand technology, but we also have technologists who understand policymaking, and we get rid of that divide that currently exists.
Now, there are some who say that cybersecurity should be left to the market. The market will take care of it, and there are some who characterize the Internet as a battlefield on which we are fighting a war. So it's the market or the war. Those are the two analogies that you hear.
Not surprisingly, I take a different position. In my view, cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe.
So let me just say that again. In my judgment, both the market and the battlefield analogies are the wrong ones for us to use. We should be talking about this as, fundamentally, a civilian space and a civilian benefit that employs partnerships with the private sector and across the globe.
So we're proud to be a part of that global effort. We believe in the importance of an open Internet, but we cannot have an Internet that is open, but not secure, nor an Internet that is secure but not open. And I think just by saying that, that lays down the challenge that we confront.
Now, the challenge is unique, and it's uniquely urgent. Cyber really equates to life's essential functions now. You can't imagine operating without cyber. A major disruption of our cyber networks could have cascading effects, not only within the cyber domain, but across multiple other sectors and elements of our critical infrastructure, crippling commerce, disrupting other aspects of Americans' daily lives. And because the cyber domain is so widely distributed, every single user becomes a consumer and a contributor, but also a potential source of security or insecurity. And that goes to the point I was making earlier, that every single user in this civilian cyberspace has a role to play in its security.
Our mission is to make sure that we assist in that, that we see cyber as part and parcel of a secure homeland, not something separate or distinct from every other mission that we have. So first, we are working to create a safe, secure, resilient cyber environment. We're taking action to protect federal civilian networks, to improve our intrusion detection capabilities, and to create more robust and resilient systems that can withstand attacks, and also help prevent attacks from occurring.
Now, there has been some real progress in this past year. We've had progress deploying EINSTEIN 2 across federal agencies in civilian space. We have released and tested a version of the National Cyber Incident Response Plan, the NCIRP, to enable us to respond as one nation, across the public and private sectors, to cyber incidents.
We have opened and are now growing the National Cybersecurity and Communications Integration Center, also known as the NCCIC, and that is a 24/7 watch and warning center. And we are holding the National Cybersecurity Challenge to bring the expertise and creativity of the public and the private sectors to bear in promoting cybersecurity.
We have also in this past year I think expanded our partnerships with the private sector to protect our nation's critical infrastructure. The ones I would specify is working with are chemical plants, communication systems, and the control systems that operate our electric, water, and other utilities, including deploying teams to work with and to respond to cyber incidents that have involved critical infrastructure.
We have made progress by building ourselves, our expert team of cyber professionals, to lead this work. DHS Deputy Undersecretary Phil Reitinger has nearly tripled the size of the National Security Division cyber workforce this year over last year. And last year, we doubled it over the year before. So we're moving in the right direction. And as I said before, if you know of individuals, we are actively recruiting people to serve their country.
We are also working to promote cybersecurity awareness, education, and innovation; educating the public with information they need about cyber threats, that enables us to strengthen our collective defense, and also making sure that industry, as I said, is actively involved in our efforts.
Now, I think it's fair to say that we need to be engineering some fundamental changes to Internet security. Cybersecurity must be a core component. It must be integral from the start, not something that's added on at the end; oh, we built this really cool thing, and it can do this really cool stuff, and now it's out there and it's really cool, and, oh by the way, we've got to do something about keeping it secure. No. You have to consider this as a core competency within the build-out of the Internet itself.
So in that, the domain of cyberspace, in a way, requires a redesign or perhaps a fundamental shift in approach so that it is safe and secure from the outset. And it's a place where a vibrant and open international economic and social order can thrive.
That's why we think informing and engaging the public is important. That's why we believe our National Cybersecurity Awareness Campaign, underway now, which will be growing over the next year, is important. It's why we launched the Stop, Think, Connect Campaign last October as part of National Cybersecurity Awareness Month. And it's why I'm asking all of you, if you have not signed up to help us on engaging the public and public awareness growth, to sign up with us now, and to consider becoming a friend of the cyber awareness campaign.
When you are signed up as a friend, you receive regular updates, you take part in some of our challenge contests, and we can support and hold forums at your own institutions. So please, please consider becoming part of the public awareness efforts, and a friend of our own campaigns.
As I said before, I mentioned, we're working very closely along and across the federal family, particularly having worked out really the thorny issues involving how the NSA is to be used in a civilian context for protection and prevention, as well as in a military context; very different types of worlds, and we want to make sure that we do it the right way, and we do it the right away from the outset.
So let me just close with this thought. A secure and resilient cyber environment depends on everybody in this room. It depends on people who are not in this room. But if you are here, I'm assuming that you're already part of trying to address some of the issues that are raised. How do you keep an open Internet but also a secure one? And how do you work with us, and how do we work with you to get that done?
Those are the kinds of challenges our country has confronted before, and by putting our best minds together, we have always met those kinds of challenges. This one may be bigger, more complex, and require more of our effort than anything we've ever dealt with. And we're going to have to make sure that we deal with it in the right way, because we are laying the foundation for the future. Thank you all very much.